Hello, I see you have gone a long way since I last updated [1].
I offer my help in implementing and supporting the PKCS#11 key module. I maintain some PKCS#11 implementation in different projects, you can view some of my activity at [2]. The quickest solution would be based on current OpenSSL key module and my pkcs11-helper library [3], as it already support PKCS#11 and OpenSSL engine, the only issue is that the RSA_PKCS1_OAEP_PADDING is not supported by most PKCS#11 implementation, so RSA_PKCS1_PADDING should be used. I can also drop OpenSSL usage to an extent of the ability to extract e, n from X.509 certificate and calculate hash int *generate_signature(). Do you prefer one over the other? Also I don't really understand the *generate_key() and its relevance to key module, I don't think this should be implemented for PKCS#11, as there utilities to do exactly that. Unlike file based cryptography, smartcard based cryptography is dynamic, smartcard can be removed and inserted at any time. From what I understand from quick review of the source, the key module is doing private key decryption when a file is opened. If this is so, what happens when the smartcard is not available or PKCS#11 session disconnects or expires? Do we fail the system call? prompt the user? How we notify the user that he is unable to access files because he needs to insert his XXXX smartcard, or re-type his passphrase? Where does the user re-type his passphrase? Usually smartcard enabled applications have the following user prompts: a. Token prompt (Please insert token XXXX). b. Passphrase prompt (Please type passphrase for token XXXX) Both of these can be called at anytime during session in blocking mode, so that the system call may proceed. For these we need to have some mechanism for user interaction, I hope this is what the daemon is all about. But in order to interact with user desktop we should also register DISPLAY variable or something with the mount command. What do you think? Have I gotten this right? Are you interested in my help? Best Regards, Alon Bar-Lev. [1] http://lkml.org/lkml/2006/5/5/28 [2] http://alon.barlev.googlepages.com/open-source [3] http://www.opensc-project.org/pkcs11-helper ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
